Trust is an almost priceless thing these days. Organizations large and small are scrambling to stay ahead of emerging threats as well as new regulatory measures designed to keep hackers at bay.
According to a report by Gemalto, more than 290 digital records were compromised every second of every day in the first half of 2018 alone.
If you’re a business owner, or are just interested in technology and cybersecurity, you may have heard of zero trust security. It’s become an important plank in any organization’s plan to protect data and keep people safe. What is it, and why should you start using it right now?
The fundamentals of zero trust
It may sound deceptively simple at first, but a basic description of zero trust security goes something like this: It’s a security model for information technology (IT) that requires airtight identity verification for every participant in a private network before each connection attempt.
Zero trust makes no distinction between a client outside or inside the perimeter of the network. Everybody must demonstrate trustworthiness — that they are who they claim to be — before they are granted access.
Zero trust doesn’t rely on any one technology — it requires a combination of several best practices plus the right hardware and software.
More familiar IT security models resembled “castles” and “moats.” That made it tricky for bad actors outside the network to find their way inside, but it meant giving a pass to clients already within the system. It made the dangerous assumption that if somebody made it that far in the first place, they’re probably supposed to be there.
However, the castle-and-moat approach also means that once a bad actor obtains access, they have nearly free reign over the network. The problem gets even harder to manage when you consider the mix of cloud vendors and other locations housing modern business data. Multiple repositories make it difficult to apply a single security policy.
The bottom line for zero trust is that it acknowledges that modern security threats can come from inside or outside an organization and facility. It’s a reversal of the “trust but verify” model. It becomes, “verify first, trust second.”
What best practices and technology does zero trust require?
There are several best practices that an organization must commit to before it starts talking about specific technologies or vendors. They are:
- No attempt at network connectivity may be granted automatic trust, be it automated machine access or a human user. Trust is earned, every time.
- Organizations must implement “least-privilege access.” This requires organizations to issue credentials that unlock only the databases and functionality that each employee needs to perform their functions, and prevents access to any others.
- A company or organization must know which devices are connected to its network and when, so it can accurately appraise the current threat surface. That means implementing strict controls on whether personal devices may be used for work purposes and which security protocols must be put in place.
Organizations that want to apply a blanket of security across their applications and web properties have several vendors and features to choose from.
The technologies that power zero trust security
Before they go window shopping for a zero trust security solution, companies and organizations must think about which features they’ll need today and which ones they might need as they grow.
For instance, look for functionality that makes it easy to manage per-user access and credentials for in-house and remote employees alike.
The best zero trust networks will also use micro-segmentation, which is where a broad security perimeter is demarcated into separate access zones.
That kind of granular approach means critical workloads are isolated from the others or allowed to selectively work together in a way that boosts functionality without forsaking security.
Multifactor authentication is another important addition to zero trust security. Remember that the central tenet of zero trust is confirmation of identity for every user or client of the network. However, simply entering a password doesn’t constitute identity verification. In fact, it’s only one leg of the famous security trifecta: something you know, something you have and something you are.
Therefore, multifactor authentication could be thought of as the backbone of any serious zero trust security program. After a user enters a password — something they know — they may be required to swipe a badge or respond on a secondary device with a temporary code — something they have. A fully holistic approach to security would top things off with a fingerprint or retina scan — something they are.
Should you use zero trust security?
The last question left is: Should my company use zero trust security? Depending on whom you ask and the work you do, the answer might be, “You should’ve started already.”
You should know by now whether something like the General Data Protection Regulation in the EU applies to your business model, because it may serve as a template for similar data stewardship measures in the U.S. and elsewhere.
Knowing your sensitive customer, client or patient data is as well-protected as it can be means you can get ahead of regulatory and compliance trends. To have a better idea of whether zero trust is a good idea for you, consider whether, how and how often you handle information that would cause a significant loss for you or one of your customers if it became compromised.
Some university data management policies, for instance, create security classification tiers to determine how much of their data falls under compliance protections. They can decide where to apply managed access and other targeted security measures.
Finally, using zero trust security is a way to acknowledge that not every digital threat comes from outside an organization.
It’s not pleasant to think about, but one poll found that 42% of small-business owners named negligence or accidental loss as the reason behind their most recent cybersecurity incidents. Inside jobs are real — and they can come about for any number of reasons, including a disgruntled or just plain forgetful employee.
No matter what work you do, it’s dangerous to assume you’re out of harm’s way or not worth a criminal’s time. Zero trust security offers a way to protect your business or organization from an abundance of threats. Like anything, it’s not bulletproof — but it’s become an essential part of a robust security solution.